Feeling No Pain: Consumer Indifference and Merchant Risk Acceptance
By Sushila Nair, Product Manager, BT Counterpane
In a world where the consumer makes choices on purchasing based on the lowest price, is there really a driver for organizations to invest in security?
Working for clients around the world, I see them bending over backwards to stay competitive by providing greater functionality, endlessly providing more diverse methods for ordering products and services and methods for paying for those products and services. Customers are largely driven by “best value,” and the question becomes not only are organizations willing to pay for security but even more so, is the customer willing to pay for security?
It is interesting to note that the Federal Trade Commission (FTC), in penalizing TJX, which lacked the security controls to prevent Gonzalez from successfully stealing 45 million credit cards in 2007 from its premises, said that the organization was practicing unfair business practices. The implication being that the consumer has the right to expect a level of security when an organization takes payment in the form of a credit card. The FTC, however, was not able to apply any financial fines because the FTC doesn’t have authority to levy civil fines for violations of the FTC Act, which prohibits unfair business practices.
Post incident, how did the companies that have suffered from a breach been impacted? TJX’s results for 2009 indicate above average year-over-year performance versus other entrants in the industry. TJX was not alone in being victims of Gonzalez; some other named companies are 7 Eleven, Heartland, Hannaford, J C Penny, Target TJX, BJ’s, Boston Market, Sports Authority, Dave & Buster’s, Office Max, Sports Authority, Forever 21, and DSW. Again, looking at the financial performance of these companies, we see no correlation between a breach and a loss in consumer sales.
It would seem that despite the fact that a company incurs some financial liability in the form of penalties from the card companies, company profits are reasonable following the breach, especially given the current market. In essence, it would appear that the consumer is not deterred from shopping at store that has been affected by a breach. One wonders if that is because the consumer doesn’t care about the security of their credit cards or assumes simply that the government (FTC) or the card companies will take care of it?
Time and time again, I hear that the security controls required, especially in retail environments, are not in line with what the organization is willing to spend, and it is, therefore, a business risk that the company is willing to take. After all, in a capitalist society, organizations are focused on the beauty pageant that is the stock market; and if consumers do not seem to be making purchasing decisions based on security, then what possible driver is there for businesses to provide good security controls?
The zero consumer liability is often highlighted as the reason why consumers do not make purchasing decisions based on the security of their data — which would certainly imply that companies will not suffer consumer wrath for a lack of security controls. So the fines and penalties must therefore be large enough that the business risk tips in favor of implementing reasonable security controls, given there is not a one-to-one correlation between the lack of controls and a breach.
Certainly the fines and penalties offered by the credit card companies and government organizations remain the only reasons for companies to secure payment card data. As breaches impact the credit card companies and affect their profit line, they move to share the cost of the lack of security with the banks and merchants. The banks share it with the consumer through fees and other means, and the retailer simply compares the cost of the control and wonders if it’s worth the gamble that it just won’t happen to them.
PCI DSS, with its annual audit, has forced organizations to, at the very least, be penalized if suitable controls are not in place, even if a breach has not occurred. However, with the lack of any frameworks around the control of other sensitive data, one wonders — do organizations take a similarly laissez faire attitude towards security and bet on “it won’t happen to me”? Even if a breach does occur, you can bet the companies are also evaluating whether the consumer will actually care about the results as long as they can have cheaper merchandise available to purchase via the most convenient method. And, sadly, I think the answer is that the consumer does not care.